This should probably be an official FAQ, but a) I wanted to rant a bit more than is probably acceptable for something "official" and b) the sort of person this information is directed at never bloody reads
keyring.debian.org, which is the logical place for it.
Who are keyring-maint?
Currently Gunnar Wolf (good cop) and Jonathan McDowell (bad cop). Previous
keyring maintainers include Igor Grobman & James Troup.
I'd like to be a DM/DD. Do I send you my key?
No. You go through the
DebianMaintainer or
NM processes. Then the DM team or DAM tell us
to add your key to the appropriate keyring.
I'd like to replace my DM/DD key in the Debian keyring. What should I do?
Read the instructions at
http://keyring.debian.org/replacing_keys.html
I have a new key that isn't signed by anyone else, will you accept it?
No. Did you read
http://keyring.debian.org/replacing_keys.html
?
I've got a single DD signature on my new key. That's enough, right?
Not unless your old key has been lost and you're getting a different
DD to request the replacement for you (and if they're prepared to ask
for a key replacement we'll wonder why they're not prepared to sign
the new key too).
Did you read
http://keyring.debian.org/replacing_keys.html
?
I'm still really confused about how I should request a key replacement. Help?
Try reading
https://rt.debian.org/Ticket/Display.html?id=3141
(which just happens to be a recent decent example). Clear subject line
(I'd have added a real name too, but it's still fairly clear), full
fingerprint of the old and new keys, inline signed so RT doesn't mangle
it. New key signed by old key and 3 other DDs. Request signed by old
key.
That RT link needs a login. I don't have one.
Have you tried reading up on the Debian RT system? There's a generic
read only login that'll get you access.
That's too hard. Can't you just give me the details?
Damnit. It appears the read-only login details are currently disabled
due to misuse (one wonders how). Try reading
http://wiki.debian.org/rt.debian.org
Why are you using RT? Isn't bugs.debian.org more appropriate?
We need the ability to for people to contact us is in a private fashion,
for example if they need to us to remove a key because it's been lost
or compromised. We could only use RT for that purpose and use bugs.d.o
for things that can be public, but this way all the information is in
one place and we get to make the call about when it becomes a publicly
viewable ticket.
What's with jetring? Should I send you a jetring changeset?
jetring is a tool written by Joey Hess that used to be used to manage
the Debian Maintainers keyring. keyring-maint borrowed a number of
good ideas from jetring but don't use it at all. We ignore jetring
changesets.
So you just want key fingerprints, not attached keys?
Yes. Of course you have to make sure your key is actually on a
public keyserver so we can get it. the.earth.li is a good choice (because
Jonathan runs it and thus pays more attention to it), but subkeys.pgp.net
or pool.sks-keyservers.net are also commonly used.
My key has expired and I want to update the key expiry date. I should email RT asking for this to be done, right?
No, you should send the updated key via HKP to keyring.debian.org. You
can do this with
"gpg --keyserver keyring.debian.org --send-key <keyid>"
Obviously replace <keyid> with your own key ID.
I tried to send an entirely new key via HKP to keyring.debian.org, but I can't see it there. What gives?
keyring.debian.org only accepts updates to keys it already knows
about. That means you can send updated expiry dates, new uids and new
signatures to your existing key, but not an entirely new key.
I sent my updated key via HKP to keyring.debian.org and can see it's updated there, but the Debian archive processing tools (eg dak) don't seem to recognize the update. Why not?
The updates sent via HKP are folded back into the HKP server
automatically every 15 minutes or so. They are folded into the live
Debian keyrings on a manual basis, at least once a month.
This means if your key has an expiry date then you probably want to
update your key at least a month before it expires.
Where can I find these live Debian keyrings?
They're what's available via rsync from
keyring.debian.org::keyrings/keyrings/
This is canonical location for the current Debian Developers and
Debian Maintainers keyrings.
What about the debian-keyring package?
This is a convenience package of the keyrings. It's usually the most
out of date. We update it sporadically and try to ensure that the
version shipped with a stable Debian release is current at the point
of release. It is not used by any of the official Debian
infrastructure.
Why don't you automatically update my key in the live keyring when I send an update via HKP?
We think that automatic updates of keys that allow uploads to Debian
are a bad thing and that invoking a human eye at some step of the
process is a useful sanity check.
Paranoid much?
Never enough.
How are updates to the keyring tracked?
We use bzr to maintain the keyring, with a separate file per key that
can then be easily combined into the various keyrings. You can see
the repository at:
http://bzr.debian.org/scm/loggerhead/keyring/debian-keyring/changes
Note that this is only updated when a keyring is pushed to live; the
working tree may contain details of compromised keys and thus isn't
public.
What's with the whole replacement of 1024 bit keys?
2 things. Firstly 1024 bit keys tend to use SHA1 as a hash algorithm,
which has been shown to be weaker than expected. While we're not
aware of active exploits against this updating all of the keys Debian
uses is not a trivial process and it's wiser to get it done /before/
there's a known issue. Secondly computing power has moved on and we feel
that upgrading to larger key sizes is prudent.
Elliptic curve cryptography (ECC) keys look like the future. Can I use one for Debian?
No, not at present. When there are tools that are part of a Debian
stable release that support them we'll look into it, after discussion
with the major users of the keyring (DSA, ftpmaster, the secretary).